Phishing continues to be one of the top cybersecurity threats. The latest phishing trend is the inclusion of Quick Response (QR) codes within the phishing email. A QR code is a two-dimensional barcode that holds encoded data in a graphical black-and-white pattern. The data that a QR code stores can include URLs, email addresses, network details, Wi-Fi passwords, and serial numbers. What QR codes store is unknown until scanned. Phishing emails containing malicious QR codes may lead you to a spoofed website designed to install malware on your computer or device, or to steal your sensitive data, such as your password or credit card information.
QR codes are almost impossible to recognize as malicious by humans, so users must take extra precaution.
When presented with a QR code, do all of the following:
- Treat QR codes with even more caution than direct links. If you receive a QR code from someone you know, contact them directly and verify they sent it before you interact with it.
- When scanning a QR code, your device should display a box containing the linked website. Pay close attention to that link and don’t visit the website if not known to you and be very cautious of domains that use a URL shortener to hide the destination.
- Use the built-in scanner in your smartphone’s camera to scan QR codes. There is no need to download any QR code scanner through the app store. QR code scanners from the app store may come bundled with dangerous or malicious extras.
We must all be vigilant to protect ourselves. If you receive any suspicious emails or think that you may have been a target of information theft, please report to the appropriate person.